You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
bas smit 494cc319de add 'testing' entry to pr checklist 6 days ago
.github add 'testing' entry to pr checklist 8 hours ago
cmake Fix linking errors for LLVM and libbcc_bpf 2 months ago
docker Add clang build in CI 1 month ago
docs docs: notes for developers 8 hours ago
images update image and add source 1 year ago
man man: fix quotes in bpftrace manual 2 months ago
resources clang_parser: workaround for asm_inline in 5.4+ kernel headers 6 months ago
scripts testing: add script to compare BPF between versions 2 weeks ago
snap snapcraft: limit version string to 32 characters 3 months ago
src irbuilderbpf.cpp, bpforc.h: Fix compilation with LLVM 11 2 days ago
tests Logging: add an option to disable warning messages. 3 days ago
tools syncsnoop: trace sync_file_range2 when needed 2 months ago
.clang-format Non-invasive formatting of src/*.h 7 months ago
.editorconfig Add basic editorconfig for defining style (#775) 1 year ago
.gitattributes Highlight bpftrace source files 10 months ago
.gitignore codegen: avoid accidental checking of LLVM bytecode 2 weeks ago
.lgtm.yml Add LGTM security analyzer 3 months ago Logging: add an option to disable warning messages. 3 days ago
CMakeLists.txt 0.11 release 3 weeks ago fix typos 1 year ago When installing from source on ubuntu and Fedora, non-root users 4 months ago
LICENSE Relicense under Apache 2.0 2 years ago Add discourse shield to README 2 weeks ago
Vagrantfile vagrant: add fedora 32 3 weeks ago Use host network when building docker image 5 months ago Use host network when building docker image 5 months ago Use host network when building docker image 5 months ago Split Docker build process into separate shell script files 3 years ago


Build Status IRC #bpftrace Total alerts Discourse topics

bpftrace is a high-level tracing language for Linux enhanced Berkeley Packet Filter (eBPF) available in recent Linux kernels (4.x). bpftrace uses LLVM as a backend to compile scripts to BPF-bytecode and makes use of BCC for interacting with the Linux BPF system, as well as existing Linux tracing capabilities: kernel dynamic tracing (kprobes), user-level dynamic tracing (uprobes), and tracepoints. The bpftrace language is inspired by awk and C, and predecessor tracers such as DTrace and SystemTap. bpftrace was created by Alastair Robertson.

To learn more about bpftrace, see the Reference Guide and One-Liner Tutorial.


The following one-liners demonstrate different capabilities:

# Files opened by process
bpftrace -e 'tracepoint:syscalls:sys_enter_open { printf("%s %s\n", comm, str(args->filename)); }'

# Syscall count by program
bpftrace -e 'tracepoint:raw_syscalls:sys_enter { @[comm] = count(); }'

# Read bytes by process:
bpftrace -e 'tracepoint:syscalls:sys_exit_read /args->ret/ { @[comm] = sum(args->ret); }'

# Read size distribution by process:
bpftrace -e 'tracepoint:syscalls:sys_exit_read { @[comm] = hist(args->ret); }'

# Show per-second syscall rates:
bpftrace -e 'tracepoint:raw_syscalls:sys_enter { @ = count(); } interval:s:1 { print(@); clear(@); }'

# Trace disk size by process
bpftrace -e 'tracepoint:block:block_rq_issue { printf("%d %s %d\n", pid, comm, args->bytes); }'

# Count page faults by process
bpftrace -e 'software:faults:1 { @[comm] = count(); }'

# Count LLC cache misses by process name and PID (uses PMCs):
bpftrace -e 'hardware:cache-misses:1000000 { @[comm, pid] = count(); }'

# Profile user-level stacks at 99 Hertz, for PID 189:
bpftrace -e 'profile:hz:99 /pid == 189/ { @[ustack] = count(); }'

# Files opened, for processes in the root cgroup-v2
bpftrace -e 'tracepoint:syscalls:sys_enter_openat /cgroup == cgroupid("/sys/fs/cgroup/unified/mycg")/ { printf("%s\n", str(args->filename)); }'

More powerful scripts can easily be constructed. See Tools for examples.


For build and install instructions, see


bpftrace contains various tools, which also serve as examples of programming in the bpftrace language.

For more eBPF observability tools, see bcc tools.

Probe types

See the Reference Guide for more detail.


For additional help / discussion, please use our discourse.



For development and testing a Vagrantfile is available.

Make sure you have the vbguest plugin installed, it is required to correctly install the shared file system driver on the ubuntu boxes:

$ vagrant plugin install vagrant-vbguest

Start VM:

$ vagrant status
$ vagrant up $YOUR_CHOICE
$ vagrant ssh $YOUR_CHOICE


Copyright 2019 Alastair Robertson

Licensed under the Apache License, Version 2.0 (the “License”); you may not use this file except in compliance with the License. You may obtain a copy of the License at

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an “AS IS” BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.